Ten 2015 Security Risk Lessons from 2014 Breaches

During this time of year, we start to see the lists of top 10 breaches and predictions for the next year. How accurate are these predictions anyway? Did anyone predict that we would have a social media breach (Snapchat) the first week of 2014? Or that the string of breaches at major retailers such as Michaels, P.F. Changs, Urban Outfitters, Jimmy Johns, Ebay, Home Depot and others would have happened so soon after the prominent late 2013 Target breach exposed information on 110 million individuals? Or that one of the largest healthcare breaches involving 4.5 million patients across 206 hospitals would be compromised due to one of the media-highlighted vulnerabilities (Heartbleed, Bashbug, Poodle, etc.)?

As if these breaches were not enough, information stored in faraway online cloud places, such as Apple iCloud, made us pause and wonder where the right places were to store our personal data. Banking organizations are continually attacked, but who would have predicted that JP Morgan Chase, an organization that invests US $250 million annually on security and employs 1,000 security professionals, would have been breached?

Target hired a new CEO, CIO and CISO, each from outside of the company, as a result of the headline-grabbing breach. While there have been multiple retailers coming clean with announcing breaches in the aftermath, Target has been the unfortunate 2014 security-investment-conversation-starter for many organizations at the board of directors level. Target must be breathing a sigh of relief these days with the recent press surrounding the Sony Pictures breach. The focus has now shifted from a retailer attack that was compromised through a third party to nation state breaches and their prevention and/or risk reduction, freedom of speech and appropriate government response.

And let’s not forget that there were many news articles expressing concern about the February Sochi Olympics in Russia. Either we had great defenses and cyber intelligence that made this a non-event, or it was just thata non-event. Will we ever really know? The FBI regularly notifies companies of breaches. There were more than 3,000 in 2013a number that we could have predicted would increase in 2014. Did it?

Would we have predicted that, according to the Identity Theft Resource Center (ITRC), approximately 750 breaches exposing more than 81 million records (56 million attributed to Home Depot) would be reported by mid-December 2014? And what about the breaches that are not required to be reported by legislation or the cases where breaches were reported, but the numbers exposed were simply unknown? Should we expect more or less next year?

Lessons learned
While some of these questions are difficult to answer, there are some clear takeaways for CISOs, auditors and information security professionals:

1. Information security will remain in the news as a frequent event. The breach of Sony Pictures has implications for how companies should respond to the breach (such as Sony’s pulling the release of the Interview due to the threats received), and how governments should respond to breaches. Expect political posturing and rhetoric within the US and between the US and North Korea for at least the first half of 2015. Discussions will shift to how nation state attacks should be dealt with by private enterprises and what is the cybersecurity responsibility of government.
2. There should be an increased push for NIST Cybersecurity Framework adoption. While released in early 2014 in response to the President’s executive directive, this voluntary framework could receive an increased government desire to move the framework beyond voluntary. ISACA’s COBIT is a key information reference in this framework, and a guide existsto help you implement the NIST framework using COBIT.
3. Vendor risk management should increase. The Target breach highlighted the importance of appropriately segregating networks and understanding vendor security practices. More attention will be placed on vendors, particularly cloud providers, with requests for SSAE16 SOC2, ISO27001 certification, or other independent assurance.
4. Incident response is as important as prevention. While the details of how the JP Morgan Chase breach occurred are still being investigated, it is clear that significant spending goes so far, and that every organization needs to ensure that they can adequately respond to a breach in a timely manner.
5. Public relations departments will continue to minimize the events. Unless the breach is in tens of millions of records or individuals, they will not be sustained by the news media. Expect to see these “small” breaches in the single-digit millions minimized by their respective organizations.
6. Encrypt external storage and hold the keys. With cloud providers maintaining the data, expect to see more attacks focused on these organizations. Small Software as a Service (SaaS) providers may be particularly vulnerable.
7. Data location will remain a top privacy issue. As countries do not trust each other with obtaining access to data without going through a lawful process, the preference for countries will be to have the data stored regionally (e.g., Canada, USA, European Union, Asia Pacific) and privacy laws will be promoted to retain information within country.
8. Security professionals will need to embrace mobile technology. With smartphone availability becoming ubiquitous concentrated with several top players, tablet shipments surpassing desktops, and an appetite for BYOD, actions must shift from BYOD avoidance to mobile embracement and ensuring secure mobile code development and administration.
9. Blocking and tackling has never been more important. Organizations must up the internal bar before the breach happens and invest in technologies that support COBIT 5 for security, NIST Cybersecurity Framework, ISO27001 Certification, SANS Top 20 Critical Controls, OWASP Top 10 and others. Running large organizations with one to two full-time security professionals (outside of identity and access management staff) can no longer be the model. A surprising number of large organizations run very lean with security leadership staffing. End-user behavior must be elevated with security awareness training and phishing simulations, as many of the breaches today start with malware introduced by phishing an end user.
10. Security skills shortage will continue and recruiters will need to be creative. Some accounts have indicated a near-zero information security professional unemployment rate. Organizations may need to turn to managed security service providers and developing interested internal professionals in security practices to provide assistance. Breaches have heightened awareness of the need, which in turn reduced the supply of available talent. This is one key area that ISACA’sCybersecurity Nexus (CSX) is addressing. Through CSX, ISACA aims to help companies develop their security workforces and help individuals develop or advance a career in cybersecurity.

Next year, we will have a new list of companies that have experienced major breaches. Odds are, one or more of the top 10 takeaways listed above will be involved. As we move into 2015, each of us needs to decide for our organizations which areas we will focus on most. To reduce the risk that we will not be the result of the latest comedy of errors, in the modified words of well-known comedian Larry the Cable Guy, we need to just “Git-R-Done.” I don’t care who you are, having a breach is not funny.

Todd Fitzgerald, CISA, CISM, CRISC, CISSP, CIPP/US, CIPP/E, PMP
Global Director Information Security, Grant Thornton International, Ltd.

[ISACA]